Australian education’s cybersecurity challenge

Once upon a time, the biggest threat to the cybersecurity of Australian education was a student changing their grades or attendance record like a scene out of Ferris Beuller’s Day Off. While this sort of mischief is still a headache for IT leaders at schools and universities around the world, it’s by no means the biggest challenge they now face.

Data management systems, web-based platforms, social platforms, cloud services, remote-user-access software, and mobile-learning tools have allowed schools and universities to cut costs, drive efficiencies, and remove much of the friction involved in communicating with students (and their parents).

However, as detailed in a recent Australian Cybersecurity article, for every upside technology has delivered to Australian education, there has been a downside. The Australian Government’s website, Bullying. No Way!, details the unfortunate facts about students using technology to cyberbully—and that bullying has extended to their teachers as well, according to SBS News. Both students and teachers can use school or university devices or bring-your-own-device (BYOD) policies to access inappropriate material, as the Daily Telegraph reports. Additionally, embarrassing data breaches can occur as a result of, for example, the lax printer security of third-party vendors—and intellectual property and student information can be easily purloined by foreign powers, as an article in The New Daily highlights.

As Australian Cybersecurity warns, “school networks are increasingly targeted by ransomware, data theft and denial of service attacks (DDoS) . . . A number of schools fail to implement basic steps to secure network and data.” These all-too-prevalent threats make one thing clear: it’s time for schools and universities to step up their approach to cybersecurity—fast.

Implement basic steps

So, what can an IT leader working in the Australian education system do to improve cybersecurity? As with IT leaders working in any industry, there are many resources available to help stay up to date on best practice in balancing functionality with security, such as those provided by the Australian Cyber Security Centre. They can also lobby for the purchase of the most secure equipment. For example, to ensure printer security, those that handle the IT budget should seek out printers built with upgradeable firmware that can detect and self-heal from malware. Schools and universities also face challenges that aren’t on the radar of private businesses and government departments, which means off-the-shelf solutions such as secure printers can’t do the job alone. Cooperation from students and staff is of equal importance.

Engage teachers, staff, and parents

IT leaders at primary and secondary schools can suggest the following practices be implemented within their school’s community:

  • Train teachers and admin staff in cybersecurity awareness and privacy requirements
  • Form a cybersecurity working group to encourage the correct and safe use of devices
  • Appoint a senior member of the school staff to the role of privacy officer
  • Review procurement procedures and possibly amend purchasing contracts to ensure vendors are providing secure technology, an increasingly important measure given the rise of third-party technologies in schools, according to The Educator Online

In late 2018, an NTT security report noted that attacks against the Australian education system had jumped and advised schools to think of risk management as a process.

Guard the IP honeypot

A recent report from the Australian Cyber Security Centre noted, “Universities are an attractive target given their research across a range of fields and the intellectual property this research is likely to generate.” Consider also that universities possess personal data about those who are, or will be, a nation’s business, political and military leaders.

In an article from The Conversation, Greg Austin—a UNSW professor and cybersecurity expert—claims that, on the whole, university cybersecurity is weak. He offers the following suggestions to IT leaders and other cybersecurity stakeholders working at Australian universities:

  • Collect better data on the in-house and outsourced cybersecurity measures among Australia’s universities, the budgets devoted to such arrangements, and the efficacy of those arrangements
  • Insist on two-factor authentication and prohibit staff and students from using their own devices and USBs
  • Require staff and students to undertake basic cybersecurity training, such as password selection lessons or sessions on how to avoid being phished
  • Follow the lead of corporations by elevating cybersecurity to a top priority and making the CEO (i.e., vice-chancellor) or board of directors (i.e., university council) responsible for security rather than letting the buck stop with the IT Director

With the growing number of cybersecurity breaches in the Australian education sector, the stakes are too high to overlook training and security initiatives among students and faculty. Now is the time for IT leaders throughout the sector to lobby for a more serious and well-resourced approach.